We have two DC's on our internal network (one old and one new) we are trying to migrate to the new DC but the only thing stopping us is external DNS resolution does not work with the new DC unless under the DNS mmc we set it to forward to our old DC.

The firewall is open for DNS. We know this because on the new server when we do a nslookup and use "server 8.8.8.8" (google dns) it works. Set it back to itself and it does not work.

The old DC has been demoted and all internal DNS and DHCP has been moved to the new DC, only thing not working is external resolution. Any ideas of things i could try?

old DC does not have forwarder set (it works) new DC only works if forwarder set to old DC.. does not work on its own like the old DC does. But also works if i set forwarder to Google public DNS. Just not without any forwarder (root names)
–
medoixMay 19 '11 at 6:24

1

If your DNS Server can't resolve a DNS query it will forward the query to the server you set as forwarder, if this server does not respond it will ask the root entries. So I ask myself why it works on your old server without forwarder set....The usual practice is to set a forwarder for zones the server itself can't resolve.
–
duenniMay 19 '11 at 7:06

I disabled EDNS using the below command and all is working now. Our firewall at production must allow these packets, just not the firewall in our office. I will need to investigate this further with our firewall manufacturer.

An ever further fix for the device itself. Problem: Cisco and Juniper firewalls by default limits DNS UDP packets to a maximum size of 512 bytes. Windows Server 2008 by default ships with EDNS enabled, which utilizes DNS packets larger than 512 bytes. How do I enable support for this? Solution:set security alg dns maximum-message-length 1500 This adjusts the maximum UDP message size for DNS packets to 1500 bytes. If you allow even bigger packets (check MTU/MRU) then adjust the number accordingly.
–
medoixMay 23 '11 at 4:36